Social Engineering or “SE” is an activity that exploits a person in a way to take action that could or could not be in their interest. However, we will bring your attention to the malicious forms of SE, helpful for hacking and spying in particular, and plenty of other categories are governed through it. On the other hand, it is very important to know it psychologically, physiologically, and last but not least, the technological aspects of influencing someone generally. No matter what, if it is being used for positive outcomes, even then, it will be used maliciously. Malicious type of social engineering needs to be categorized into three types, such as Phishing, Vishing, and impersonation. Let’s discuss all these categories shortly.

Phishing

It can be done by sending an email to someone, and it seems to be from a reputable source, with the aim of controlling and getting the private information.

Vishing

It is the practice or an activity to elicit the information or to attempt to influence action through the cell phone, which includes these types of tools, such as cell phone spoofing.

Impersonation

It is the act of sending someone pretext messages as another person with the aim of getting information or access to a person, company, or computer device.

Major categories of Social Engineering

Social Engineering can be further categorized for those who use it due to some odd reasons. Professional spies, black hat hackers, and white hat hackers use to a salesperson and everyday people.

Hackers

They usually use social engineering techniques, because the human weakness factor is easier to exploit than to exploit the network weakness. Most of the time, professional hacking or hackers win because they are not bound by time or motivation. An ordinary person may work for 8 hours a day to accomplish their goals, but when it comes to professional hackers, they spend 24 hours a day in order to accomplish their goals. They spend a hell of a lot of time and due diligence to get every aspect of their target, and then they launch all of their skills and energies on the human infrastructure that can truly harm a company within a few minutes. They get over the personal information of the target, passwords, remote user accounts, and plenty of other things. Over the last few years, sponsored hackers have hit the world by storm and have made headlines worldwide. Their attacks could be very devastating for the target, and we are going to bring you a little information about how hackers implement these attacks and what the ultimate destruction is.

The Lazarus Group: Example no. 1

It is a group that is based on one of the most destructive hacking collectives in cyberspace. It is allegedly responsible for the monstrous 2014 Sony hack, the $81 million Bangladesh Bank heist, and is also allegedly involved in the 2017 WannaCry ransomware attack. However, it has been detected over the last few years in more than 18 countries around the world

Fancy Bear: Example no.2

It is also known as APT28, Pawn Storm, Sofacy group, Sendit, and STRONTIUM, and it is also a cyber–espionage community. There is several hacking methods of this particular group, such as zero–day, Spear phishing, OAuth phishing, and malware. The group is allegedly responsible for several hacking breaches, such as the 2016 attacks on the World Anti –Doping Agency (WADA), and further for phishing attacks that have been devastating for the Democratic National Committee (DNC).

Spying or Espionage

People who spy have skills and methods to fool the victims and make them believe they are someone or something that they are not in reality.

“Furthermore, being able to use social engineering, the number of times people who spy will also be created, having a little or a lot regarding business or government, they are trying to social engineer”. Chris Hadngy, Social Engineering, in The Art of Human Hacking, stated that.

Espionage or spying is basically are skills that can be used for getting information about the target, whether a person, government, or a competing industry, having an aim of replacing one’s government or trying to gain financial or other advantages. On the other hand, spying cannot be labeled as all intelligence gathering, such as codebreaking, aircraft, or satellite photography. Over the decades, spying or espionage was known for obtaining political and military intelligence. Moreover, with the rise in the rise of technology, the focus further goes to communication technologies, IT, energy, scientific research, aviation, and plenty of other departments.

The following are a few examples of military and industrial spying that show how the skills were used to carry out social engineering attacks.

State-sponsored Facebook Fakes

Since January 2017, the Israeli Defense Forces have published a blog post on their website that says attacks have been launched on their military personnel using influence tactics known as liking. Attackers have created fake Facebook profiles of attractive young women to seduce the Israeli Defense Forces (IDF) to befriend them. Further, after the fake profile users successfully got the trust by sending text messages, sharing photos, and at the end of the day, they ask for a video chat. For video chat, the soldier had to install an app that was basically a virus. Once the soldier installed it, the phone became an open source to view contacts, location apps, photos, and files, and at the end of the day, it went to the Hamas operatives.

Penetration testers

They are the ones who test the vulnerabilities or unauthorized access breaches to the system. It is also called pen testing, and it is the skill of testing computer machines, networks, web applications, or onsite perimeter to catch vulnerabilities that hackers use loopholes in the system for spying.

Pen Testing & Social Engineering

Business organizations with the process of verification procedure, firewalls, VPNs, and network monitoring software could be under cyber-attacks if an employee unwillingly provides confidential information. “SE” is the human side of checking for corporate network vulnerabilities. Penetration testers used different skills to test their target by means of phishing, vishing, and impersonation. A penetration tester will mimic the breaches that a malicious social engineer could use to aim to breach the target system. Therefore, even the company hires pen testers to deal with the malicious “SE” to prevent breaches.

Identity thieves

It is a kind of malicious art to steal someone’s identity or personal identifiable information (PII) such as name, address, social security number, and email addresses, as well. People do it for financial gain and to do number of criminal acts. They can use it for stolen payment card accounts to make fraudulent purchases and to get control over the existing account of the target.

The private information of kids and teens that includes social security numbers, mother’s maiden name, and date of birth has been found for sale on the dark web, CNN reported.

Identity theft is not restricted to individuals; these days, business identity theft has also been on the rise, that hacks company’s websites and phone numbers using social engineering techniques.

Disgruntled Employees

Most of the employees who become disgruntled and have uncontrolled internet access at the workplace, the reasons are very common, such as they feel irritated, overworked, underpaid, and last but not least, passed up for promotion. Five factors that have made US workers are promotion policies, bonus plans, education and job training programs, and performance evaluation procedures, according to the job satisfaction survey conducted by the Conference Board Consumer Conference survey.

Disgruntled Employees could be a risk for the company

The Insider Report 2018 published that 90% of business organizations have to deal with insider threats. The disgruntled employees are the root cause of two elements: one is access, and the second is motivation. They usually have access to the confidential information, financial information, and high-level administrative privileges to corporate applications.  The earlier five elements discussed can make a productive employee into a disgruntled employee. The ultimate threat to the company could be spreading negativities on social networking apps such as LinkedIn and on Facebook, stealing confidential information, willingly leaking sensitive information, and even potential lawsuits.

Information Brokers

According to the Federal Trade Commission (FTC), data brokers, such as companies that collect information, such as personal information about consumers, from various sources and then resell it to their customers for various reasons, such as to verify an individual’s identity, records, marketing products, and to prevent financial fraud. Data brokers get the information from various sources, but in the modern world, social media platforms such as Facebook, LinkedIn, WhatsApp, and others are among the biggest platforms for collecting the data of the general public.

How Data Brokers use Social Engineering?

They mostly use elicitation, scams, courting, and last but not least, pretexting in order to get the personal data or information. According to the book “Information and Security,” data brokers and other kinds of social engineers use a method which is known as courting. It seems random or a chance meeting that builds rapport and then trust between the social engineer and the target. With the passage of time, they successfully build a relationship, and then subtle pressure brings the information of the target.

Scam Artist

It is a person who traps people in fraudulent or deceptive actions to defraud others. The scam is usually labeled as a particular type of fraud that is based on a wide range of dispersed initial approaches to the masses that don’t know about the scammer. There are two types of scams, one is known as Mass–marketing Fraud, and the second one is advance fee fraud. Most of the social media scammers use Facebook and claim that they are Facebook employees, and they are going to tell you that you have won the Facebook lottery, and the winner has to pay some money to release the money.

Conclusion:

It is worth enough for the attackers, and it works consistently. Social engineering tactics are very time-consuming but effective ones. Therefore, malicious social engineers use these skills to achieve their goals. An experienced black hat hacker knows well that it would take time, days, weeks, and even months to get access to the network and steal the credentials. However, when it comes to social engineering techniques used by the hacker, such as using a pretext to get a cell phone or email, it would be a matter of minutes to get the same goal of getting the credentials.

Resource links:

http://mobile.abc.net.au/news/2018-05-03/facebook-lotto-scam-targeting-social-media-users/9723322?pfm=sm

https://www.ftc.gov/news-events/press-releases/2006/01/choicepoint-settles-data-security-breach-charges-pay-10-million